How can I protect my Vaultwarden account from brute-force attacks?

NordSig · November 9, 2023, 7:30am

How can I protect my server accounts from password brute force?

Bitwarden’s FAQ has such a question and answer (Emails from Bitwarden | Bitwarden Help Center):

How can I protect my Bitwarden account from brute-force attacks?

A: A brute-force attack is when a malicious actor cycles through a combination of weak and short passwords in an attempt to gain access to your account. Bitwarden offers a few ways you can protect yourself from these potential attacks:

Have a long and unique master password. Bitwarden requires a 12 character minimum to increase account security.

Set up 2FA on all Bitwarden accounts to add an additional layer of security.

Bitwarden will require CAPTCHA verification after 9 failed login attempts from an unknown device.

Bitwarden’s website has an article about sending an email when a login attempt fails (Emails from Bitwarden | Bitwarden Help Center):

1. Vaultwarden does not have captcha?
2. Vaultwarden can’t send emails on failed login attempt?

BlackDex · November 9, 2023, 8:45am

1. Vaultwarden does not have captcha?

We do not indeed, if i’m correct this is not active for self-hosted instances, even the Bitwarden Self-Hosteds).
We do have a rate-limit on this, so that should prevent brute-force attacks.
See:

github.com

dani-garcia/vaultwarden/blob/03c6ed2e07a187bc70c8aa348546f25594cd38bd/.env.template#L348-L357


      
          ## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
          # LOGIN_RATELIMIT_SECONDS=60
          ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
          ## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
          # LOGIN_RATELIMIT_MAX_BURST=10
          
          ## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
          # ADMIN_RATELIMIT_SECONDS=300
          ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
          # ADMIN_RATELIMIT_MAX_BURST=3

2. Vaultwarden can’t send emails on failed login attempt?

We currently do not indeed. We do for successful logins from unknown devices.
But this is a nice feature to add, ill put it on the list.

NordSig · November 9, 2023, 8:58am

Thank you for your answers.

That’s right, now the limit on the number of login attempts is triggered on failed login attempts.
What should I specify for LOGIN_RATELIMIT_SECONDS and LOGIN_RATELIMIT_MAX_BURST so that after 10 failed login attempts, the next one will be in 5 minutes?
This is a great option. We hope it will be added soon. Thx.

BlackDex · November 9, 2023, 9:18am

If i’m correct from the top of my head that would be:
LOGIN_RATELIMIT_SECONDS=300
LOGIN_RATELIMIT_MAX_BURST=10 And i set 10 here, but keep in mind that since you use 2FA, which causes the clients to call that endpoint a second time within those 5 minutes.

Also note, we do this for every attempt, not only failed logins, because someone could also try to use invalid logins or try multiple etc…

So, this does mean that if you login from the same IP on 5 different devices which all need to enter a 2FA within 5 minutes, that after that you can’t login anymore, and need to wait for 5 minutes to try again.

NordSig · November 9, 2023, 9:48am

Does this work for the IP-account vaultwarden mapping?
For example: I have 50 users, they who log in from the same IP (NAT) in vaultwarden. User (user1@email.com) entered 10 times wrong password. Will only user1@email.com or all users get login restriction (5 minutes)?

BlackDex · November 9, 2023, 9:51am

It’s per IP. Nothing else is used to match it.
Else an attacker could just switch between multiple accounts if they know more accounts on a specific deployment exists.

github.com

dani-garcia/vaultwarden/blob/03c6ed2e07a187bc70c8aa348546f25594cd38bd/src/ratelimit.rs#L22-L29


      
          pub fn check_limit_login(ip: &IpAddr) -> Result<(), Error> {
              match LIMITER_LOGIN.check_key(ip) {
                  Ok(_) => Ok(()),
                  Err(_e) => {
                      err_code!("Too many login requests", 429);
                  }
              }
          }